coop-cloud-chaos-patchs/outline
coop-cloud-chaos-patchs
/
outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixes #593

This commit is contained in:
Tom Moor 2018-02-24 20:44:13 -08:00
parent fb19075d0e
commit f3c7fb8bc6
6 changed files with 52 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/api/__snapshots__/documents.test.js.snap
View File

@ -1,11 +1,10 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#documents.create should create as a child 1`] = `
exports[`#documents.create should error with invalid parentDocument 1`] = `
Object {
"error": "invalid_parent_document",
"message": "Invalid parentDocument",
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
"status": 400,
}
`;
@ -56,7 +55,7 @@ Object {
exports[`#documents.update should fail if document lastRevision does not match 1`] = `
Object {
"error": "document_has_changed_since_last_revision",
"error": "invalid_request",
"message": "Document has changed since last revision",
"ok": false,
"status": 400,

43
server/api/documents.js
View File

@ -1,11 +1,11 @@
// @flow
import Router from 'koa-router';
import httpErrors from 'http-errors';
import auth from './middlewares/authentication';
import pagination from './middlewares/pagination';
import { presentDocument, presentRevision } from '../presenters';
import { Document, Collection, Star, View, Revision } from '../models';
import { ValidationError, InvalidRequestError } from '../errors';
import policy from '../policies';
const { authorize } = policy;
@ -208,8 +208,6 @@ router.post('documents.create', auth(), async ctx => {
});
authorize(user, 'publish', ownerCollection);
if (!ownerCollection) throw httpErrors.BadRequest();
let parentDocumentObj = {};
if (parentDocument && ownerCollection.type === 'atlas') {
parentDocumentObj = await Document.findOne({
@ -218,8 +216,7 @@ router.post('documents.create', auth(), async ctx => {
atlasId: ownerCollection.id,
},
});
if (!parentDocumentObj)
throw httpErrors.BadRequest('Invalid parentDocument');
authorize(user, 'read', parentDocumentObj);
}
const newDocument = await Document.create({
@ -258,7 +255,7 @@ router.post('documents.update', auth(), async ctx => {
authorize(ctx.state.user, 'update', document);
if (lastRevision && lastRevision !== document.revisionCount) {
throw httpErrors.BadRequest('Document has changed since last revision');
throw new InvalidRequestError('Document has changed since last revision');
}
// Update document
@ -283,27 +280,25 @@ router.post('documents.move', auth(), async ctx => {
const { id, parentDocument, index } = ctx.body;
ctx.assertPresent(id, 'id is required');
if (parentDocument)
ctx.assertUuid(parentDocument, 'parentDocument must be an uuid');
ctx.assertUuid(parentDocument, 'parentDocument must be a uuid');
if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)');
const user = ctx.state.user;
const document = await Document.findById(id);
authorize(ctx.state.user, 'update', document);
authorize(user, 'update', document);
const collection = document.collection;
if (collection.type !== 'atlas')
throw httpErrors.BadRequest("This document can't be moved");
throw new InvalidRequestError('This document cant be moved');
// Set parent document
if (parentDocument) {
const parent = await Document.findById(parentDocument);
if (!parent || parent.atlasId !== document.atlasId)
throw httpErrors.BadRequest(
'Invalid parentDocument (must be same collection)'
);
authorize(user, 'update', parent);
}
if (parentDocument === id)
throw httpErrors.BadRequest('Infinite loop detected and prevented!');
throw new InvalidRequestError('Infinite loop detected and prevented!');
// If no parent document is provided, set it as null (move to root level)
document.parentDocumentId = parentDocument;
@ -327,27 +322,11 @@ router.post('documents.delete', auth(), async ctx => {
const collection = document.collection;
if (collection.type === 'atlas') {
// Don't allow deletion of root docs
if (collection.documentStructure.length === 1) {
throw httpErrors.BadRequest(
"Unable to delete collection's only document"
);
}
// Delete document and all of its children
try {
await collection.removeDocument(document);
} catch (e) {
throw httpErrors.BadRequest('Error while deleting');
}
await collection.removeDocument(document);
}
// Delete the actual document
try {
await document.destroy();
} catch (e) {
throw httpErrors.BadRequest('Error while deleting document');
}
await document.destroy();
ctx.body = {
success: true,

4
server/api/documents.test.js
View File

@ -312,7 +312,7 @@ describe('#documents.create', async () => {
expect(body.data.collection.documents[0].children[0].id).toBe(body.data.id);
});
it('should create as a child', async () => {
it('should error with invalid parentDocument', async () => {
const { user, collection } = await seed();
const res = await server.post('/api/documents.create', {
body: {
@ -325,7 +325,7 @@ describe('#documents.create', async () => {
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});

8
server/api/hooks.js
View File

@ -1,6 +1,6 @@
// @flow
import Router from 'koa-router';
import httpErrors from 'http-errors';
import { AuthenticationError, InvalidRequestError } from '../errors';
import { Authentication, Document, User } from '../models';
import * as Slack from '../slack';
const router = new Router();
@ -10,7 +10,7 @@ router.post('hooks.unfurl', async ctx => {
if (challenge) return (ctx.body = ctx.body.challenge);
if (token !== process.env.SLACK_VERIFICATION_TOKEN)
throw httpErrors.BadRequest('Invalid token');
throw new AuthenticationError('Invalid token');
// TODO: Everything from here onwards will get moved to an async job
const user = await User.find({ where: { slackId: event.user } });
@ -50,7 +50,7 @@ router.post('hooks.slack', async ctx => {
ctx.assertPresent(text, 'text is required');
if (token !== process.env.SLACK_VERIFICATION_TOKEN)
throw httpErrors.Unauthorized('Invalid token');
throw new AuthenticationError('Invalid token');
const user = await User.find({
where: {
@ -58,7 +58,7 @@ router.post('hooks.slack', async ctx => {
},
});
if (!user) throw httpErrors.BadRequest('Invalid user');
if (!user) throw new InvalidRequestError('Invalid user');
const documents = await Document.searchForUser(user, text, {
limit: 5,

47
server/api/middlewares/authentication.js
View File

@ -1,20 +1,10 @@
// @flow
import httpErrors from 'http-errors';
import JWT from 'jsonwebtoken';
import { type Context } from 'koa';
import { User, ApiKey } from '../../models';
import { AuthenticationError } from '../../errors';
type AuthOptions = {
require?: boolean,
};
export default function auth(options: AuthOptions = {}) {
options = {
require: true,
...options,
};
export default function auth() {
return async function authMiddleware(
ctx: Context,
next: () => Promise<void>
@ -32,11 +22,9 @@ export default function auth(options: AuthOptions = {}) {
token = credentials;
}
} else {
if (require) {
throw httpErrors.Unauthorized(
`Bad Authorization header format. Format is "Authorization: Bearer <token>"`
);
}
throw new AuthenticationError(
`Bad Authorization header format. Format is "Authorization: Bearer <token>"`
);
}
// $FlowFixMe
} else if (ctx.body.token) {
@ -45,9 +33,7 @@ export default function auth(options: AuthOptions = {}) {
token = ctx.request.query.token;
}
if (!token && require) {
throw httpErrors.Unauthorized('Authentication required');
}
if (!token) throw new AuthenticationError('Authentication required');
if (token) {
let user;
@ -62,16 +48,13 @@ export default function auth(options: AuthOptions = {}) {
},
});
} catch (e) {
throw httpErrors.Unauthorized('Invalid API key');
throw new AuthenticationError('Invalid API key');
}
if (!apiKey) throw httpErrors.Unauthorized('Invalid API key');
if (!apiKey) throw new AuthenticationError('Invalid API key');
user = await User.findOne({
where: { id: apiKey.userId },
});
if (!user) throw httpErrors.Unauthorized('Invalid API key');
user = await User.findById(apiKey.userId);
if (!user) throw new AuthenticationError('Invalid API key');
} else {
// JWT
// Get user without verifying payload signature
@ -79,19 +62,17 @@ export default function auth(options: AuthOptions = {}) {
try {
payload = JWT.decode(token);
} catch (e) {
throw httpErrors.Unauthorized('Unable to decode JWT token');
throw new AuthenticationError('Unable to decode JWT token');
}
if (!payload) throw httpErrors.Unauthorized('Invalid token');
if (!payload) throw new AuthenticationError('Invalid token');
user = await User.findOne({
where: { id: payload.id },
});
user = await User.findById(payload.id);
try {
JWT.verify(token, user.jwtSecret);
} catch (e) {
throw httpErrors.Unauthorized('Invalid token');
throw new AuthenticationError('Invalid token');
}
}

24
server/errors.js
View File

@ -1,14 +1,10 @@
// @flow
import httpErrors from 'http-errors';
export function ValidationError(message: string = 'Validation failed') {
return httpErrors(400, message, { id: 'validation_error' });
}
export function ParamRequiredError(
message: string = 'Required parameter missing'
export function AuthenticationError(
message: string = 'Invalid authentication'
) {
return httpErrors(400, message, { id: 'param_required' });
return httpErrors(401, message, { id: 'authentication_required' });
}
export function AuthorizationError(
@ -23,6 +19,20 @@ export function AdminRequiredError(
return httpErrors(403, message, { id: 'admin_required' });
}
export function InvalidRequestError(message: string = 'Request invalid') {
return httpErrors(400, message, { id: 'invalid_request' });
}
export function NotFoundError(message: string = 'Resource not found') {
return httpErrors(404, message, { id: 'not_found' });
}
export function ParamRequiredError(
message: string = 'Required parameter missing'
) {
return httpErrors(400, message, { id: 'param_required' });
}
export function ValidationError(message: string = 'Validation failed') {
return httpErrors(400, message, { id: 'validation_error' });
}